CVE-2022-39328: Critical vulnerability affects open-source analytics Grafana

CVE-2022-39328

Open source analytics & monitoring solution Grafana received an update recently to fix three security vulnerabilities. Among them, a flaw is rated Critical.

Grafana is an open-source visualization and analytics platform that unifies data sets across your company into an interactive diagnostic workspace. Grafana is built on a plug-in architecture that allows you to interact with the underlying data sources without creating data copies. Create, explore, and share dashboards with your team and foster a data-driven culture: Visualize, Dynamic Dashboards, Explore Metrics, Explore Logs, Alerting, and Mixed Data Sources.

The first bug, tracked as CVE-2022-39328, is unauthorized access to arbitrary endpoints which allows attackers to query protected endpoints. The issue has a CVSS severity score of 9.8.

“An internal security audit identified a race condition in the Grafana codebase, which allowed an unauthenticated user to query an arbitrary endpoint in Grafana. A race condition in the HTTP context creation could result in an HTTP request being assigned the authentication/authorization middlewares of another call. Under heavy load, it is possible that a call protected by a privileged middleware receives the middleware of a public query instead. As a result, an unauthenticated user can successfully query protected endpoints,” read the security update.

CVE-2022-39328 flaw affects all installations for Grafana versions >=9.2.x. Fortunately, patches are already available.

Also resolved by Grafana versions 9.2.4 and 8.5.15 is two moderate severity flaws. Tracked as CVE-2022-39306, the bug is a privilege escalation with a CVSS severity score of 6.4. Grafana versions <=9.x and <8.x are vulnerable.

Grafana also fixed the username enumeration bug by abusing the forget password on the login page. Tracked as CVE-2022-39307. The CVSS score for this vulnerability is 5.3.

According to public reports, there are thousands of Grafana servers exposed on the public internet. Users running an affected installation of the aforementioned bugs are recommended to upgrade to the latest version as soon as possible.